Anyone engaged in the logistics industry knows supply chain cybersecurity has been in the news lately, particularly in the “not-good” category. The interdependencies of the global supply chain make it uniquely complex when it comes to managing cybersecurity risks, including a company’s partners within the supply chain, the aggregated data they use to perform their services and the underlying transport itself. Each one of these aspects introduces an “attack vector” for cyber attackers, be they cyber criminals or state-sponsored actors. 

Consequently, the total number of attack vectors should be multiplied by the number of members or links in a supply chain, plus the cumulative data they share. Given the constant flow of high-value data across networks, it’s no small wonder that freight and logistics firm Accenture reported that one in four companies suffered reputational damage resulting from third-party cyber events. 

Beyond imputed reputational harm, there are multiple examples of destructive attacks. Washington State logistics company Expeditors was apparently hacked last year, forcing it to shut down much of its IT network. Airports and seaports have been targeted by distributed denial of service, or DDoS, attacks. Hellmann Worldwide Logistics sustained a cyberattack in December 2021 that disrupted operations for weeks. Trucking company Marten Transport was hacked last October. The Port of Lisbon was attacked in December, with criminals claiming to have stolen financials, audits, budgets, contracts and ships’ logs.

In addition, the National Security Agency’s director of cybersecurity told reporters at the RSA Conference in April that Russia has attempted to inject ransomware into Ukrainian logistics chains and those of countries supporting Ukraine. Microsoft had already acknowledged that ransomware attacks against transportation and logistics companies in Ukraine and Poland were linked to Russia. It’s not just criminals the industry is contending with; it’s nation-states and their proxies.

Combine these threats with the simple fact that logistics companies are largely tracking shipments and customer data with Internet of Things (IoT) devices in the cloud, leaving more digital targets in their wake. Anyone from shippers, maintainers and remote vendors to shared applications can have access to cloud data, which Verizon’s 2022 cybersecurity report noted as sometimes having misconfigurations, unauthorized accesses and insecure interfaces. 

Add in the recent development that a key aim of many phishing attacks has been to steal users’ credentials, providing attackers access to internal networks by pretending to be a recognized user. This refined tactic can allow delivery of ransomware from within a network, encrypting and exfiltrating data before defenders can respond.

The complexities these threats pose are daunting, yet indicate a need for added focus on those vitally important fundamentals necessary to defend an enterprise network. Good cyber hygiene can be maintained through “people” issues like training a workforce, prioritizing data and its defenses and communicating risks to leadership, combined with simple basics like patching and keeping certificates updated.

With increasing reliance on technology and third-party vendors in the logistics industry, mitigating cybersecurity risks has become a critical component of an organization’s risk management strategy. That strategy should begin with a presumption that a breach will occur, forcing a focus on resiliency. The emphasis then becomes reducing an attacker’s ability to exploit data and recovering quickly. 

A key ingredient for success is determining how to mitigate a vendor’s breach risk, which begins by ensuring its defenses are current and comply with applicable laws. For example, ensuring the vendor is actively defending its network is essential. This can be done internally with its own dedicated defenders or by using a managed security service provider. It should also have a current privacy policy and have customer and employee consents for data collection, both critical to mitigating damages under the EU’s General Data Protection Regulation (GDPR) and California’s Consumer Privacy Act (CCPA). 

Contracting processes between vendors and shippers is another crucial step for balancing financial risks and compliance. Shippers should use clearly written contracts defining the scope of services provided, including:

• Well-written security protocols providing clear and comprehensive guidelines to follow concerning protection of sensitive information. This should include details on how data is stored, who has access to it, procedures to safeguard it, and Incident Response Plans in case of a breach. It should also include conclusions from an annual “tabletop exercise” (TTX) held to stress and test those protocols and plans.
• Compliance with applicable federal, state and international data protection regulations. These regulations set out specific requirements for data protection and are essential for minimizing legal costs and penalties.
• Appropriate cybersecurity insurance coverage specifically covering cyber risks and providing adequate protection against cyber threats. 
• Avoidance of caps on vendor liability below cyber insurance policy limits. Agreeing to limitations on liability below the liability policy of a vendor (and therefore insurer) could significantly limit the amount of insurance coverage.  
• Clauses in vendor contracts requiring them to provide notification promptly and privately in the event of a cybersecurity incident. Notifications should detail the nature and scope of an incident, progress toward full mitigation and its potential impacts.

Finally, parties should agree to regular audits of data partners to help minimize cybersecurity risks. Audits may identify potential vulnerabilities and ensure partners are complying with their contractual obligations. These audits should be conducted at least annually and include reviews of policies and procedures, employee training programs and recent security incidents. The scope and frequency of the audit should increase depending on the sensitivity of the data being shared.  

A multi-faceted, comprehensive approach to mitigating vendor cybersecurity risks will improve resiliency for logistics companies, their employeesand customers. Written security protocols tested through a tabletop exercise (TTX), compliance with data protection regulations, current privacy policies and data consents, appropriate cybersecurity insurance coverage that avoids low liability caps, and clear notification procedures are each important contract considerations businesses should apply up and down the logistics supply chain. As the industry further absorbs cybersecurity into its risk management processes, there will be more turbulence. But taking fundamental steps can reduce those bumps.